Managing the Risk of Fraud Using ISO 31000 Paul J. Sobel Vice President/ Chief Audit Executive Georgia-Pacific LLC
Outline • Overview of ISO 31000 – New Global Risk Management Standard • Framework for Fraud Risk Management • Fraud Risk Assessment • Treating, Monitoring & Reporting on Fraud Risk • Internal Audit’s Role in Fraud Risk Management
[2] 2
ISO 31000 - A Brief History • Australia/New Zealand Standard #4360 (1995, 1999, 2004) • COSO ERM (2004) • ISO 31000: Risk Management – Principles and Guidelines (2009) – ISO Guide 73: Risk Management – Vocabulary – ISO 31010: Risk Management – Risk Assessment Techniques [3] 3
The Flow of Risk Management The principles provide the foundation and describe the qualities of effective risk management in an organization
The framework manages the overall process and its full integration into the organization
The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment
Monitoring & review, continuous improvement and communication occur throughout
[4] 4
ISO 31000 – An Overview • Creates value Mandate and commitment (4.2)
Establishing the context (5.3)
• Part of decision making
Risk assessment (5.4)
Design of framework for managing risk (4.3)
• Systematic, structured and timely • Based on the best available information • Tailored • Takes human and cultural factors into account
Continual improvement of the framework (4.6)
Implementing risk management (4.4)
• Transparent and inclusive • Dynamic, iterative and responsive to change • Facilitates continual improvement and enhancement of the organization
Monitoring and review of the framework (4.5)
Communication and consultation (5.2)
• Explicitly addresses uncertainty
Risk identification(5.4.2)
Risk analysis(5.4.3)
Risk evaluation(5.4.4)
Risk treatment(5.5)
Principles (Clause 3)
Framework (Clause 4)
[5]
Process (Clause 5)
Monitoring and review (5.6)
• Integral part of organizational processes
Linkage of Principles to Fraud ISO 31000 Principle
Applicability to Fraud
Creates value
Protects value
Integral part of processes
Embedded in processes
Part of decision making
Influences decisions
Addresses uncertainty
Fraught with uncertainty
Systematic, structured & timely
Systematic, structured & timely
Best available information
Predictive/detective information
Tailored
Company specific
Human & cultural factors
Culturally dependent
Transparent & inclusive
Must include everybody
Dynamic; responsive to change
Keep up with the fraudsters
Facilitates continual improvement
Requires continual improvement [6] 6
Fraud Framework Commitment from the top; must reflect the tone at the top
Mandate and commitment (4.2)
Must understand business, have policy, reporting, accountability & implications
Design of framework for managing risk (4.3)
Continual improvement of the framework (4.6)
Goes beyond risk assessment (process to follow)
Implementing risk management (4.4)
Fraudsters evolve; so must the fraud program Monitoring and review of the framework (4.5)
Goes beyond detecting fraud; includes cultural changes, etc.
[7] 7
Determine Fraud Risk Criteria • Support the success and operation of the organization. • Help define the direction for fraud risk management. • Should be established by the board and senior management (i.e., top-down). • Consider real-life context affecting longterm consequences.
[8] 8
Fraud Risk Capacity • Organization’s total capability to absorb outcomes from fraud events. • May even define the boundaries for survival. • Could be individual fraud event outcomes or aggregate outcomes of multiple events. • Common examples: – Judgments from litigation – Violations of laws and regulation – Damage to reputation
[9] 9
Fraud Risk Attitude • Risk Management Philosophy (COSO) – “Set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities.” • Risk Attitude (ISO 31000) – “Organization’s approach to assess and eventually pursue, retain, take or turn away from risk.” • Think of it as a spectrum reflecting an organization’s propensity to take on risk – Risk Averse
Risk Accepting [10] 10
Fraud Risk Appetite • Definition – Type and total amount of risk an organization is willing to take on in pursuit of its business objectives. – You can’t necessarily avoid all fraud risk; some risk must be accepted in pursuit of strategic objectives. – Should consider fraud risk capacity and reflect the organization’s fraud risk attitude. – Ultimately, it’s about balancing success and survival.
[11] 11
Fraud Risk Appetite Examples • We will strive for 100% compliance with laws and regulations. • We will seek new markets for our products, but only in countries with a Global Integrity Index of “moderate” or higher. • We will not do business with contractors who refuse to sign our Code of Ethics acknowledgement. • We will not tolerate any actions of fraud or misappropriation by any employee, regardless of position. • There will be no retaliation against any whistleblowers. [12] 12
Fraud Risk Tolerance • COSO Definition – “Acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.” • ISO 31000 Definition – “Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.” • My Definition – Risk taking boundaries within which managers and employees are expected to perform in pursuit of the organization’s strategic, operations, reporting and compliance objectives.
[13] 13
Fraud Risk Tolerance • Boundaries are expressed as the ceiling and/or floor related to key risk outcomes and effects, for example: – – – –
Financial results (current or future) Reputation (real or perceived damage) Health & safety (injuries, lost time) Environmental (exceedences, spills, remediation costs) – Compliance (fines, penalties, sanctions) – Customer satisfaction (ratings, market share) – Warranty defects (liability, cost to repair)
[14] 14
Fraud Risk Tolerance Examples • In fraud cases where we can seek restitution, we will only do so if the costs are not more than 150% of the expected restitution amount. • Internal controls should be designed to ensure duties are segregated to prevent any type of fraud without collusion. • Monitoring efforts should be designed with a focus on detecting fraud events totaling $10,000 or more. • Taking company assets for personal use is considered fraud if the value of such assets exceeds $25. • There should be no frauds detected by our External Auditor. [15] 15
Fraud Risk Management Process • Establishing the Context • Fraud Risk Assessment – Fraud risk identification – Fraud risk analysis – Fraud risk evaluation
• Fraud Risk Treatment • Fraud Monitoring and Reporting
[16] 16
Fraud Risk Identification • What examples of fraud have occurred in the past? – Inside the company – To others in our industry
• What examples of fraud haven’t occurred, but could have? • What are the different outcomes (consequences) from fraud events?
[17] 17
Fraud Risk Analysis • Where are these fraud events most likely to occur? Why? • What are the different consequences of different types of fraud events? • What conditions increase the likelihood of fraud events occurring? • Are there interrelationships between events that could cause one to make another one worse? [18] 18
Fraud Risk Evaluation • What is the impact of possible outcomes from fraud events? • How likely is it that fraud outcomes will be realized? • What other factors may influence how we prioritize fraud risks? • What does our prioritized risk profile look like? [19] 19
Low
• Tends to be single point outcomes as opposed to range of outcomes
Impact
• Traditional focus has been primarily on Impact and Likelihood
Medium
High
Fraud Risk Assessment Criteria
• A good foundation, but is it robust enough in today’s business world?
Remote
Possible
Probable
Likelihood
[20] 20
What About Other Criteria? • Risk velocity
• Interdependencies
• Risk tolerance
• Frequency of occurrence
• Readiness/ Preparedness
• Volatility
• Capacity
• Maturity
• Controllability
• Degree of confidence
• Monitorability
[21] 21
How Do You Make Sense of Multiple Criteria? • Mapping Multiple Dimensions Won’t Work!
[22] 22
A Possible Approach 1. Start with traditional impact/likelihood
assessment. 2. Determine which Other Risk Assessment
Factors are relevant and meaningful. 3. Assess whether those factors will
significantly, moderately or negligibly affect: • How the risk is managed • How the risk is prioritized relative to other risks • How the risk is monitored and reported [23] 23
One Example Risk
Impact
Likelihood
Factor A
Factor B
Priority
AAA
High
High
1
BBB
High
Medium
2
CCC
Medium
High
3
DDD
High
Low
4
EEE
Medium
Medium
5
FFF
Low
High
6
GGG
Medium
Low
7
HHH
Low
Medium
8
III
Low
Low
9
[24] 24
One Example Risk
Impact
Likelihood
Factor A
Factor B
Priority
AAA
High
High
1
BBB
High
Medium
3
CCC
Medium
High
5
DDD
High
Low
2
EEE
Medium
Medium
4
FFF
Low
High
6
GGG
Medium
Low
8
HHH
Low
Medium
7
III
Low
Low
9
[25] 25
Treating Fraud Risk • Focus on highest priority risks first. • Determine possible options for treatment. – Avoid, transfer, reduce or accept
• Decide on best treatment option. – Should take into consideration fraud risk attitude and tolerance
[26] 26
Monitoring Fraud Risk • Visible monitoring can be an effective deterrent to fraud. • Must consider costs/benefits of monitoring to prevent fraud vs. monitoring to detect fraud. • There are different things that can be monitored: – Fraud events – Effectiveness of the fraud system – Changes in the business context [27] 27
Reporting Fraud Risk • Educate the Board on the fraud risk profile and means to manage the risks. • Determine escalation protocol for various types of fraud events. • Consider reporting of changes in business context and impact on fraud risk profile.
[28] 28
Internal Audit’s Role • Help build the framework for fraud risk management. • Facilitate fraud risk assessments. • Provide assurance and advice on the effectiveness of: – Fraud risk treatments; – Fraud monitoring activities; – Fraud reporting.
• Providing fraud training and education. [29] 29
Summary • Just as the business world changes and evolves, so does fraud. • It is important to have some structure to a fraud risk management program. • Risk management techniques found in ISO 31000 can provide a good road map for fraud risk management. • Internal auditors can play an important role in the fraud risk system. [30] 30
Questions?
[email protected] [31]